LQ weekly security rep - Sep 10th 2003
Sep 8th 2003
14 of 33 issues handled (SF) 1. LinuxNode Remote Buffer Overflow Vulnerability 3. XFree86 Multiple Unspecified Integer Overflow Vulnerabilities 7. Exim EHLO/HELO Remote Heap Corruption Vulnerability 8. Ezboard 'invitefriends.php3' Cross Site Scripting Vulnerability 9. TSguestbook Message Field HTML Injection Vulnerability 10. Sitebuilder 'sitebuilder.cgi' Directory Traversal File Disclosure 11. Multiple Vendor PC2Phone Software Remote Denial of Service Vulnerability 22. PADL Software PAM_LDAP PAM Filter Access Restriction Failure 24. Stunnel Leaked File Descriptor Vulnerability 26. WebCalendar Multiple Cross-Site Scripting Vulnerabilities 27. WebCalendar Multiple Module SQL Injection Vulnerabilities 28. Leafnode fetchnews Remote Denial of Service Vulnerability 32. EZ-WEB Site Builder Advanced Editor Selectedpage Parameter Disclosure 33. Asterisk SIP Request Buffer Overrun Vulnerability Sep 08th 2003 16 of 47 issues handled (ISS) suidperl error message information disclosure Exim HELO or EHLO command heap overflow Barricade Wireless Cable/DSL Broadband Router could Go2Call overly large UDP packet buffer overflow MPlayer buffer overflow LinuxNode format string Gastenboek name and message fields cross-site pam_ldap pam_filter could allow unauthorized access WebCalendar multiple scripts cross-site scripting WebCalendar multiple scripts allow SQL injection Stunnel file descriptor leak could allow an Leafnode fetchnews denial of service CatalogIntegrator could allow access to the Asterisk SIP MESSAGE and INFO request buffer Python Publishing Accessories error page cross-site VMware symlink attack Sep 5th 2003 14 issues handled (LAW) atari800 eroaster gallery gdm horde mindi node pam_smb phpwebsite sendmail up2date vmware |
Sep 5th 2003 (LAW)
Linux Advisory Watch
Distribution: Conectiva 8/29/2003 - 'sendmail' remote vulnerability Sendmail versions 8.12.8 and before (but only of the 8.12.x branch) have a remote vulnerability related to DNS maps. http://www.linuxsecurity.com/advisor...sory-3587.html 9/1/2003 - gdm Multiple vulnerabilities This update fixes multiple vulnerabilities including an arbitrary file content disclosure, crash as a result of using free(), and segfault while checking authorization data. http://www.linuxsecurity.com/advisor...sory-3591.html Distribution: Debian 8/29/2003 - 'node' buffer overflow, format string Multiple vulnerabilities Morgan alias SM6TKY discovered and fixed several security relatedproblems in LinuxNode, an Amateur Packet Radio Node program. The buffer overflow he discovered can be used to gain unauthorised root access and can be remotely triggered. http://www.linuxsecurity.com/advisor...sory-3583.html Distribution: Gentoo 9/1/2003 - pam_smb Remote buffer overflow vulnerability If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. http://www.linuxsecurity.com/advisor...sory-3588.html 9/1/2003 - vmware Insecure symlink vulnerability The previous GLSA 200308-03 was wrong when it stated that vmware-workstation-4.0.1-5289 would fix the problems described in the advisory. http://www.linuxsecurity.com/advisor...sory-3589.html 9/1/2003 - horde Remote session hijacking An attacker could send an email to the victim who ago use of HORDE MTA in order to push it to visit a website. The website in issue log all theaccesses and describe in the particular the origin of every victim. http://www.linuxsecurity.com/advisor...sory-3590.html 9/2/2003 - 'phpwebsite' SQL injection vulnerability Remote session hijacking phpwebsite contains an sql injection vulnerability in the calendar module which allows the attacker to execute sql queries. http://www.linuxsecurity.com/advisor...sory-3592.html 9/2/2003 - 'eroaster' temporary file vulnerability Remote session hijacking Previous eroaster versions allowed local users to overwrite arbitrary files via a symlink attack on a temporary file that is used as a lockfile. http://www.linuxsecurity.com/advisor...sory-3593.html 9/2/2003 - 'mindi' temporary file vulnerability Remote session hijacking Mindi creates files in /tmp which could allow local user to overwrite arbitrary files. http://www.linuxsecurity.com/advisor...sory-3594.html 9/2/2003 - 'gallery' cross-site scripting vulnerability Remote session hijacking Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 through 1.3.4 allows remote attackers to insert arbitrary web script via the searchstring parameter. http://www.linuxsecurity.com/advisor...sory-3595.html 9/2/2003 - 'atari800' buffer overflow Remote session hijacking atari800 contains a buffer overflow which could be used by an attacker to gain root privileges. http://www.linuxsecurity.com/advisor...sory-3596.html Distribution: Red Hat 8/29/2003 - 'sendmail' DNS maps DoS Remote session hijacking Updated Sendmail packages are available to fix a vulnerability in the handling of DNS maps http://www.linuxsecurity.com/advisor...sory-3584.html 8/29/2003 - 'up2date' required update Remote session hijacking New versions of the up2date and rhn_register clients are available and are required for continued access to Red Hat Network. http://www.linuxsecurity.com/advisor...sory-3585.html Distribution: TurboLinux 8/29/2003 - pam_smb vulnerability The remote buffer overflow in the pam_smb module that an attacker can exploit the pam_smb configured to authenticate a remotely accessible service. http://www.linuxsecurity.com/advisor...sory-3586.html |
Sep 08th 2003 (ISS)
Internet Security Systems
Date Reported: 08/27/2003 Brief Description: suidperl error message information disclosure Risk Factor: Medium Attack Type: Host Based Platforms: Linux Any version, suidperl Any version, Unix Any version Vulnerability: suidperl-error-info-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/13065 Date Reported: 09/01/2003 Brief Description: Exim HELO or EHLO command heap overflow Risk Factor: High Attack Type: Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Debian Linux 3.0, Exim prior to 4.21, Unix Any version Vulnerability: exim-helo-heap-overflow X-Force URL: http://xforce.iss.net/xforce/xfdb/13067 Date Reported: 08/31/2003 Brief Description: Barricade Wireless Cable/DSL Broadband Router could allow an attacker to determine passwords Risk Factor: Medium Attack Type: Network Based Platforms: Barricade Wireless Router (SMC7004VBR) Any version, Barricade Wireless Router (SMC7004VBR) Any version Vulnerability: barricade-router-password-bruteforce X-Force URL: http://xforce.iss.net/xforce/xfdb/13073 Date Reported: 09/01/2003 Brief Description: Go2Call overly large UDP packet buffer overflow Risk Factor: Low Attack Type: Network Based Platforms: Go2Call Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: go2call-udppacket-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13075 Date Reported: 08/31/2003 Brief Description: MPlayer buffer overflow Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, MPlayer 0.91 and earlier Vulnerability: mplayer-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13076 Date Reported: 08/29/2003 Brief Description: LinuxNode format string Risk Factor: High Attack Type: Network Based Platforms: Debian Linux 3.0, LinuxNode 0.3.2 and earlier Vulnerability: linuxnode-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/13077 Date Reported: 09/01/2003 Brief Description: Gastenboek name and message fields cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Gastenboek Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: gastenboek-name-message-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13078 Date Reported: 09/02/2003 Brief Description: pam_ldap pam_filter could allow unauthorized access Risk Factor: Medium Attack Type: Host Based Platforms: Mandrake Linux 9.1, pam_ldap 161 and earlier Vulnerability: pamldap-pamfilter-unauth-access X-Force URL: http://xforce.iss.net/xforce/xfdb/13079 Date Reported: 09/03/2003 Brief Description: WebCalendar multiple scripts cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, WebCalendar 0.9.42 and earlier, Windows Any version Vulnerability: webcalendar-multiple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13094 Date Reported: 09/03/2003 Brief Description: WebCalendar multiple scripts allow SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, WebCalendar 0.9.42 and earlier, Windows Any version Vulnerability: webcalendar-multiple-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13096 Date Reported: 09/03/2003 Brief Description: Stunnel file descriptor leak could allow an attacker to hijack the server Risk Factor: Medium Attack Type: Network Based Platforms: Any application Any version, Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Stunnel 3.24 and earlier, Stunnel 4.0 Vulnerability: stunnel-file-descriptor-hijack X-Force URL: http://xforce.iss.net/xforce/xfdb/13097 Date Reported: 09/03/2003 Brief Description: Leafnode fetchnews denial of service Risk Factor: Low Attack Type: Network Based Platforms: Leafnode 1.9.3 through 1.9.41, Linux Any version, Unix Any version Vulnerability: leafnode-fetchnews-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13098 Date Reported: 09/02/2003 Brief Description: CatalogIntegrator could allow access to the expire.mdb database file Risk Factor: Medium Attack Type: Network Based Platforms: CatalogIntegratorCart Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: catalogintegratorcart-expire-file-access X-Force URL: http://xforce.iss.net/xforce/xfdb/13106 Date Reported: 09/04/2003 Brief Description: Asterisk SIP MESSAGE and INFO request buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Asterisk prior to 8/15/2003, Linux 2.4.x Vulnerability: asterisk-sip-message-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13111 Date Reported: 09/05/2003 Brief Description: Python Publishing Accessories error page cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Python Publishing Accessories (PPA) 0.2.1, Unix Any version, Windows Any version Vulnerability: ppa-error-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13113 Date Reported: 09/03/2003 Brief Description: VMware symlink attack Risk Factor: Medium Attack Type: Host Based Platforms: Linux Any version, VMware Workstation 4.0.1 5289 - earlier Vulnerability: vmware-symlink X-Force URL: http://xforce.iss.net/xforce/xfdb/13114 |
Sep 8th 2003 (SF)
SecurityFocus
1. LinuxNode Remote Buffer Overflow Vulnerability BugTraq ID: 8512 Remote: Yes Date Published: Aug 29 2003 Relevant URL: http://www.securityfocus.com/bid/8512 Summary: LinuxNode is an amateur packet radio node program. It has been reported that LinuxNode is prone to a remote buffer overflow condition. The issue presents itself due to insufficient bounds checking. A remote attacker may ultimately exploit this issue remotely and execute arbitrary code in the context of the user who is running the vulnerable software. Successful exploitation may allow a attacker to gain unauthorized access to the vulnerable host. Explicit technical details regarding this vulnerability are not currently available. This BID will be updated, as further details regarding this issue are made public. Although LinuxNode 0.3.0 has been reported to be vulnerable to this problem, other versions may be affected as well. 3. XFree86 Multiple Unspecified Integer Overflow Vulnerabilities BugTraq ID: 8514 Remote: Yes Date Published: Aug 30 2003 Relevant URL: http://www.securityfocus.com/bid/8514 Summary: Multiple integer overflow vulnerabilities have been discovered in XFree86 4.3.0. The problem specifically occurs due to insufficient sanity checks within font libraries. As a result, a malicious font server that transmits font data to a target client may include a malformed integer value designed to unexpectedly pass a bounds checking calculation and trigger a buffer overrun. This could cause memory corruption within stack or heap process space, ultimately allowing for the execution of arbitrary code with the privileges of the client program. It should be noted that under some non-default XFree86 configurations, it has been reported that the Xserver and XFS daemons may act as a client to the font server, making it possible for these services to be exploited remotely. Although unconfirmed, these integer overflow vulnerabilities may be present in earlier versions of XFree86. Precise technical details regarding these vulnerabilities are currently unavailable, however as further information is released this BID will be updated accordingly. 7. Exim EHLO/HELO Remote Heap Corruption Vulnerability BugTraq ID: 8518 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8518 Summary: Exim is a message transfer agent (MTA) developed at the University of Cambridge and available under the GNU Public License. It is available for the Linux operating system. A heap buffer overflow vulnerability has been discovered in Exim. The problem is said to affect all Exim3 and Exim4 versions prior to Exim 4.21. I This issue occurs due to insufficient bounds checking performed when handling user-supplied SMTP EHLO/HELO command data. The vulnerability specifically occurs within the 'smtp_in.c' source file when handling invalid EHLO/HELO arguments. If EHLO/HELO arguments contain 506 leading spaces followed by a NUL byte and a CRLF, a static string intended for a syntax error message will be appended to the command argument data. The interpolated string will now exceed the size of the reserved buffer in heap-based memory. The entire string will be copied, without the spaces being stripped, into the affected command buffer, this will result in heap memory management structures adjacent to the affected buffer being corrupted with superfluous data. It has been reported that this vulnerability is unlikely to be exploitable to execute arbitrary code. This is because a free() call is never made on the attacker-controlled malloc chunk. Exploitation attempts will also be hindered because the uncontrollable static string 'o argument given)\0' is appended to attacker-supplied data, and will complicate the valid corruption of the adjacent malloc header. 8. Ezboard 'invitefriends.php3' Cross Site Scripting Vulnerabilerability BugTraq ID: 8519 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8519 Summary: The 'invitefriends.php3' script of Ezboard has been reported prone to cross-site scripting attacks. The issue occurs due to a lack of sufficient sanitization performed on user-supplied URI parameters. Specifically, the 'action' parameter is not sufficiently parsed for embedded script code. This issue could be exploited to cause hostile HTML and script code to be rendered in the browser of a user who is enticed to visit a malicious link to the vulnerable script. The code would be interpreted in the context of the vulnerable site. Exploitation could allow theft of cookie-based authentication credentials or other attacks. It should be noted that it is currently unknown which versions of Ezboard are affected by this vulnerability. This bid will be updated as further information is made available. 9. TSguestbook Message Field HTML Injection Vulnerability BugTraq ID: 8520 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8520 Summary: TSguestbook is an object-oriented guestbook program implemented in the PHP programming language. It has been reported that TSguestbook may be prone to HTML injection attacks. The problem is said to occur due to insufficient sanization of user-supplied input within the 'message' field. As a result, an attacker may post a guestbook entry including malicious HTML or script code within the said field. When the entry is later viewed by unsuspecting users, the injected code will be interpreted within the browser of the user. This could ultimately result in the theft of sensitive information, such as cookie-based authentication credentials, or other attacks. This vulnerability is said to affect TSguestbook 2.1 and possibly earlier. 10. Sitebuilder 'sitebuilder.cgi' Directory Traversal File Disclosure BugTraq ID: 8521 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8521 Summary: Sitebuilder is said to be prone to a directory traversal vulnerability, potentially allowing users to disclose the contents of system files. The problem occurs due to the application failing to parse user-supplied input for directory traversal sequences (../) supplied to the 'sitebuilder.cgi' script, thus making it possible to access files outside of the established web root. This could potentially allow an attacker to obtain information that could be used in launching further attacks, such as passwords or sensitive user information. This vulnerability is said to affect Sitebuilder 1.4. 11. Multiple Vendor PC2Phone Software Remote Denial of Service Vulnerability BugTraq ID: 8523 Remote: Yes Date Published: Sep 01 2003 Relevant URL: http://www.securityfocus.com/bid/8523 Summary: It has been reported that multiple PC2Phone products are prone to a remote denial of service condition. The problem is said to occur when processing excessive data passed to the programs via a UDP packet and could result in the product crashing. This could result in an established conversation prematurely ending, or potentially other attacks. This vulnerability has been triggered by transmitting the UDP packet to port 5000 on Go2Call Cash Calling, as well as Net2Phone Dialer. However, to trigger the issue Yahoo! Messenger the packet must be sent via UDP port 6801. It should be noted that reports indicate that the problem may in fact lie within the Go2Call Cash Calling program, and other products derived from its source code are also affected. However, this information has not yet been confirmed. The precise technical details regarding this issue are currently unknown, however as further information is made available this bid will be updated accordingly. 22. PADL Software PAM_LDAP PAM Filter Access Restriction Failure BugTraq ID: 8535 Remote: Yes Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8535 Summary: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. It is available for the Unix and Linux platforms. A problem in the PAM filter portion of PAM_LDAP has been identified that may fail to restrict access to certain systems. This may allow unauthorized access to network resources. The problem is in the handling of values supplied to PAM filter. When PAM filter is used to restrict the ability of users logging in from unauthorized hosts, PAM filter may fail to restrict access by the user. This could result in a user gaining access to a system from an unauthorized host. This will also create a false sense of security, as the PAM filter has been configured to restrict access and is not performing as expected. 24. Stunnel Leaked File Descriptor Vulnerability BugTraq ID: 8537 Remote: No Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8537 Summary: Stunnel is a freely available, open source cryptography wrapper. It is designed to wrap arbitrary protocols that may or may not support cryptography. It is maintained by the Stunnel project. Stunnel has been reported prone to a file descriptor leakage vulnerability. The issue reportedly presents itself due to an fcntl() call made without a CLOEXEC flag in the source of Stunnel. It has been reported that because of this, file descriptors returned by a listen() call are made available to unprivileged processes. If Stunnel is used to tunnel an application or service that provides shell access, such as telnet, the shell will have the affected file descriptor leaked to it. As a result, an unprivileged attacker may exploit this issue to hijack the Stunnel Server. Other file descriptors are also reportedly leaked, which may also be potentially exploited in a similar manner. It should be noted that this issue has been reported to affect Stunnel versions 3.24, 4.00 and previous. 26. WebCalendar Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 8539 Remote: Yes Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8539 Summary: WebCalendar is a PHP based application, used as a calendar for one or more clients. WebCalendar can be used with MySQL, Oracle, PostgreSQL or ODBC. Multiple cross-site scripting vulnerabilities have been reported in various modules of WebCalendar. The vulnerabilities may allow an attacker to execute malicious script code on a legitimate user's browser due to unsanitized user input. The issues have been reported to exist in the $color parameter of includes/js/colors.php module, $user parameter of week.php module, and $eventinfo paremeter of week.php, day.php, month.php, week_details.php, view_l.php, view_m.php, view_t.php, view_v.php, view_w.php, and week_details.php modules of the software. HTML and script code may not be filtered from user supplied input before being displayed. Therefore it may be possible to construct a malicious link containing script code that may be executed in the browser of a user who visits the link. This would occur in the context of the vulnerable site. Successful exploitation could allow for theft of cookie-based authentication credentials from users. Other attacks are also possible. 27. WebCalendar Multiple Module SQL Injection Vulnerabilities BugTraq ID: 8540 Remote: Yes Date Published: Sep 03 2003 Relevant URL: http://www.securityfocus.com/bid/8540 Summary: WebCalendar is a PHP based application, used as a calendar for one or more clients. WebCalendar can be used with MySQL, Oracle, PostgreSQL or ODBC. Multiple SQL injection vulnerabilities have reported in various modules of the software. The issues may allow an attacker to inject malicious SQL syntax into database queries. The source of these issues is insufficient sanitization of user-supplied input before including this input in database queries. A remote attacker may exploit this issue to influence SQL query logic. The vulnerabilies have been reported to exist in the view_t.php, view_w.php, view_v.php, and login.php modules of the software. This issue may allow an attacker to gain access to sensitive data stored in the database. Other attacks on the underlying database are possible as well. 28. Leafnode fetchnews Remote Denial of Service Vulnerability BugTraq ID: 8541 Remote: Yes Date Published: Sep 04 2003 Relevant URL: http://www.securityfocus.com/bid/8541 Summary: Leafnode is a Usenet news proxy. It allows online news readers to read news offline. Fetchnews is a NNTP client software used with Leafnode. Fetchnews is reported to be prone to a remote denial of service vulnerability that may allow a remote attacker to cause the software to hang. The vulnerability may occur if an attacker sends certain non-RFC-1036 compliant Usenet news articles to the server. As fetchnews attempts to retrieve the articles it may cause the software to wait for input that never arrives. It has been reported that only one fetchnews process is allowed to run at a time, therefore any fetchnews processes started afterwards would fail immediately. This issue does not exhaust CPU resources but limits the availability of the client while the condition is occurring. Successful exploitation of this issue may allow an attacker to cause a denial of service attack on a vulnerable version of the software by posting malformed news articles. This problem would result in news bases not being updated. This vulnerability affects Leafnode 1.9.3 to 1.9.41. The default installation of Leafnode is also affected by this vulnerability. The vendor has advised that versions 1.9.42 and newer are not vulnerable to this issue. 32. EZ-WEB Site Builder Advanced Editor Selectedpage Parameter Disclosure BugTraq ID: 8545 Remote: Yes Date Published: Sep 04 2003 Relevant URL: http://www.securityfocus.com/bid/8545 Summary: EZ-WEB Site Builder is a software that allows users to create personal and business web pages. Advanced editor is a text editor included with the software package. A vulnerability has been reported in EZ-WEB that may allow remote users to access restricted data from the server outside the server root directory. The issue is reported to exist in the 'selectedpage' parameter. It has been reported that the 'selectedpage' parameter is not sanitized when used to open a file using the advanced editor. The vulnerability is due to an access validation error that allows clients to traverse outside of the root directory using '../' directory traversal character sequences as a value for the 'selectedpage' parameter. This may allow the attacker to disclose arbitrary web server readable files. Successful exploitation of this vulnerability may disclose sensitive information to an attacker that may be used to launch further attacks against a vulnerable host. It has been reported that EZ-WEB Site Builder v1.5 is vulnerable to this issue, however other versions may be affected as well. 33. Asterisk SIP Request Buffer Overrun Vulnerability BugTraq ID: 8546 Remote: Yes Date Published: Sep 04 2003 Relevant URL: http://www.securityfocus.com/bid/8546 Summary: Asterisk is a software-based PBX system, which is available for Linux operating systems. Asterisk includes support for the SIP (Session Initiation Protocol). Asterisk is prone to a remote exploitable buffer overrun. This is due to insufficient bounds checking of SIP MESSAGE and INFO requests. In particular, due to a programming error in the chan_sip.c source file, data supplied via either of these requests is used as a size argument for a strncat() operation. By passing 1024 bytes in the request body, strncat() will be invoked with a negative number for the size argument, causing memory to be corrupted. A null is included in the affected page of memory, limiting the amount of memory that is corrupted in the operation and preventing a page fault, which will permit the saved return address to be overwritten with attacker-supplied data. As a result, it will be possible to control execution flow of the program and execute arbitrary code. This issue may be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of the software. |
All times are GMT -5. The time now is 08:12 AM. |